diff options
author | kuriyama <kuriyama@FreeBSD.org> | 2001-06-24 22:41:00 +0000 |
---|---|---|
committer | kuriyama <kuriyama@FreeBSD.org> | 2001-06-24 22:41:00 +0000 |
commit | 50bd3d18aa017e35e13921385b77f731e5d46e2e (patch) | |
tree | 765ef420e7d168e9e03658800312765824f2d0dd /sys/netinet6 | |
parent | 97b4de31d7aa8755ff95e50ee32121bcf1a5a06b (diff) | |
download | FreeBSD-src-50bd3d18aa017e35e13921385b77f731e5d46e2e.zip FreeBSD-src-50bd3d18aa017e35e13921385b77f731e5d46e2e.tar.gz |
Merge from netinet/ip_fw.c (1.117 -> 1.118).
o Use syslog(3) interface for logging.
Reviewed by: ume
MFC after: 10 days
Diffstat (limited to 'sys/netinet6')
-rw-r--r-- | sys/netinet6/ip6_fw.c | 114 |
1 files changed, 69 insertions, 45 deletions
diff --git a/sys/netinet6/ip6_fw.c b/sys/netinet6/ip6_fw.c index f0245cf..8b8707b 100644 --- a/sys/netinet6/ip6_fw.c +++ b/sys/netinet6/ip6_fw.c @@ -41,6 +41,7 @@ #include <sys/kernel.h> #include <sys/socket.h> #include <sys/socketvar.h> +#include <sys/syslog.h> #include <sys/time.h> #include <net/if.h> #include <net/route.h> @@ -93,11 +94,11 @@ SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, verbose, CTLFLAG_RW, &fw6_verbose, 0, "" SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, &fw6_verbose_limit, 0, ""); #endif -#define dprintf(a) if (!fw6_debug); else printf a - -#define print_ip6(a) printf("[%s]", ip6_sprintf(a)) - -#define dprint_ip6(a) if (!fw6_debug); else print_ip6(a) +#define dprintf(a) do { \ + if (fw6_debug) \ + printf a; \ + } while (0) +#define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0 static int add_entry6 __P((struct ip6_fw_head *chainptr, struct ip6_fw *frwl)); static int del_entry6 __P((struct ip6_fw_head *chainptr, u_short number)); @@ -332,93 +333,114 @@ ip6fw_report(struct ip6_fw *f, struct ip6_hdr *ip6, struct udphdr *const udp = (struct udphdr *) ((caddr_t) ip6+ off); struct icmp6_hdr *const icmp6 = (struct icmp6_hdr *) ((caddr_t) ip6+ off); int count; + char *action; + char action2[32], proto[102], name[18]; + int len; count = f ? f->fw_pcnt : ++counter; if (fw6_verbose_limit != 0 && count > fw6_verbose_limit) return; /* Print command name */ - printf("ip6fw: %d ", f ? f->fw_number : -1); + snprintf(SNPARGS(name, 0), "ip6fw: %d", f ? f->fw_number : -1); + + action = action2; if (!f) - printf("Refuse"); - else + action = "Refuse"; + else { switch (f->fw_flg & IPV6_FW_F_COMMAND) { case IPV6_FW_F_DENY: - printf("Deny"); + action = "Deny"; break; case IPV6_FW_F_REJECT: if (f->fw_reject_code == IPV6_FW_REJECT_RST) - printf("Reset"); + action = "Reset"; else - printf("Unreach"); + action = "Unreach"; break; case IPV6_FW_F_ACCEPT: - printf("Accept"); + action = "Accept"; break; case IPV6_FW_F_COUNT: - printf("Count"); + action = "Count"; break; case IPV6_FW_F_DIVERT: - printf("Divert %d", f->fw_divert_port); + snprintf(SNPARGS(action2, 0), "Divert %d", + f->fw_divert_port); break; case IPV6_FW_F_TEE: - printf("Tee %d", f->fw_divert_port); + snprintf(SNPARGS(action2, 0), "Tee %d", + f->fw_divert_port); break; case IPV6_FW_F_SKIPTO: - printf("SkipTo %d", f->fw_skipto_rule); + snprintf(SNPARGS(action2, 0), "SkipTo %d", + f->fw_skipto_rule); break; default: - printf("UNKNOWN"); + action = "UNKNOWN"; break; } - printf(" "); + } switch (nxt) { case IPPROTO_TCP: - printf("TCP "); - print_ip6(&ip6->ip6_src); + len = snprintf(SNPARGS(proto, 0), "TCP [%s]", + ip6_sprintf(&ip6->ip6_src)); if (off > 0) - printf(":%d ", ntohs(tcp6->th_sport)); + len += snprintf(SNPARGS(proto, len), ":%d ", + ntohs(tcp6->th_sport)); else - printf(" "); - print_ip6(&ip6->ip6_dst); + len += snprintf(SNPARGS(proto, len), " "); + len += snprintf(SNPARGS(proto, len), "[%s]", + ip6_sprintf(&ip6->ip6_dst)); if (off > 0) - printf(":%d", ntohs(tcp6->th_dport)); + snprintf(SNPARGS(proto, len), ":%d", + ntohs(tcp6->th_dport)); break; case IPPROTO_UDP: - printf("UDP "); - print_ip6(&ip6->ip6_src); + len = snprintf(SNPARGS(proto, 0), "UDP [%s]", + ip6_sprintf(&ip6->ip6_src)); if (off > 0) - printf(":%d ", ntohs(udp->uh_sport)); + len += snprintf(SNPARGS(proto, len), ":%d ", + ntohs(udp->uh_sport)); else - printf(" "); - print_ip6(&ip6->ip6_dst); + len += snprintf(SNPARGS(proto, len), " "); + len += snprintf(SNPARGS(proto, len), "[%s]", + ip6_sprintf(&ip6->ip6_dst)); if (off > 0) - printf(":%d", ntohs(udp->uh_dport)); + snprintf(SNPARGS(proto, len), ":%d", + ntohs(udp->uh_dport)); break; case IPPROTO_ICMPV6: if (off > 0) - printf("IPV6-ICMP:%u.%u ", icmp6->icmp6_type, icmp6->icmp6_code); + len = snprintf(SNPARGS(proto, 0), "IPV6-ICMP:%u.%u ", + icmp6->icmp6_type, icmp6->icmp6_code); else - printf("IPV6-ICMP "); - print_ip6(&ip6->ip6_src); - printf(" "); - print_ip6(&ip6->ip6_dst); + len = snprintf(SNPARGS(proto, 0), "IPV6-ICMP "); + len = snprintf(SNPARGS(proto, len), "[%s]", + ip6_sprintf(&ip6->ip6_src)); + snprintf(SNPARGS(proto, len), " [%s]", + ip6_sprintf(&ip6->ip6_dst)); break; default: - printf("P:%d ", nxt); - print_ip6(&ip6->ip6_src); - printf(" "); - print_ip6(&ip6->ip6_dst); + len = snprintf(SNPARGS(proto, 0), "P:%d [%s]", nxt, + ip6_sprintf(&ip6->ip6_src)); + snprintf(SNPARGS(proto, len), " [%s]", + ip6_sprintf(&ip6->ip6_dst)); break; } + if (oif) - printf(" out via %s", if_name(oif)); + log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s\n", + name, action, proto, if_name(oif)); else if (rif) - printf(" in via %s", if_name(rif)); - printf("\n"); + log(LOG_SECURITY | LOG_INFO, "%s %s %s in via %s\n", + name, action, proto, if_name(rif)); + else + log(LOG_SECURITY | LOG_INFO, "%s %s %s", + name, action, proto); if (fw6_verbose_limit != 0 && count == fw6_verbose_limit) - printf("ip6fw: limit reached on rule #%d\n", + log(LOG_SECURITY | LOG_INFO, "ip6fw: limit reached on entry %d\n", f ? f->fw_number : -1); } @@ -907,9 +929,11 @@ zero_entry6(struct mbuf *m) if (fw6_verbose) { if (frwl) - printf("ip6fw: Entry %d cleared.\n", frwl->fw_number); + log(LOG_SECURITY | LOG_NOTICE, + "ip6fw: Entry %d cleared.\n", frwl->fw_number); else - printf("ip6fw: Accounting cleared.\n"); + log(LOG_SECURITY | LOG_NOTICE, + "ip6fw: Accounting cleared.\n"); } return(0); |